what is the correct way to specify the list of allowed SASL mechanisms,
in an OpenLDAP-server using Cyrus-SASL?

The cyrus-sasl documentation mentions the option mech_list, but I cannot
figure out where and how to specify this. Following some examples I found
on the net, I tried to include e.g.
sasl-mech_list: PLAIN
into my slapd.conf, which I hoped would disable all SASL mechanisms but
PLAIN, but it didn't have any effect: the server still allowed me to
authenticate using e.g. EXTERNAL authentication.

Read the slapd.conf(5) manpage. Any directives not mentioned there (like
your made up "sasl-mech_list") are not valid. Look at sasl-secprops; you
cannot use PLAIN with the default properties.

I also tried to specify mech_list in a separate per-application config
file for the sasl library,
/usr/lib/sasl2/slapd.conf
but this file does not even get accessed by the server.